triage.zip provides an out-of-the-box Velociraptor triage collector for Windows, pre-configured for rapid and effective incident response. The project is intended for responders who need a reliable offline collector without the hassle of building from scratch.
-
Automated Build and Deployment: Every commit to the
mainbranch triggers a CI workflow (see ci.yml) which:- Checks the latest Velociraptor release version against the currently-built version (tracked in data/velociraptor-version.json).
- If a new version is available, spec.yaml was modified, OR Windows.Triage.Targets was updated, the build proceeds:
- Fetches the latest Velociraptor Linux binary from its official release.
- Verifies the binary SHA256 checksum matches the official release checksum.
- Generates an offline collector using the provided configuration (spec.yaml).
- Deploys the collector as a GitHub release for easy download.
- If no changes are detected, the build is skipped to avoid unnecessary rebuilds.
In addition, a scheduled run every Monday at 6pm UTC checks for updates to both the Velociraptor release version and Windows.Triage.Targets artifact.
-
Configuration:
The collector behavior is defined in spec.yaml, detailing operating system, artifacts, collection parameters, and output settings.
-
Automated Builds:
CI workflows ensure that every update is built automatically and the latest version is available as a GitHub release. -
Offline Collector:
Designed to run without network dependencies, the executable facilitates rapid triage on target systems. -
Pre-configured Response Options:
Tailored for Windows environments, the spec includes options for valuable artifacts (e.g., KAPE triage targets, SANS triage, live system data, and Sysinternals Autoruns) to cover a wide range of triage scenarios.
-
Download and Run: Download the latest release of the collector here (permalink).
Security Verification (Recommended): Verify the SHA256 checksum before running. The expected hash is published in the GitHub release notes. Compare it with:
Get-FileHash .\Velociraptor_Triage_Collector.exe -Algorithm SHA256
Run the executable as an Administrator on the target system.
-
Triage Operation:
Upon execution, the collector gathers artifacts and zips them using a naming template (Triage-%FQDN%-%TIMESTAMP%.zip), making it easy to correlate with the system it was collected from.- NOTE: we intentionally chose not to encrypt or password protect the collection ZIP to make subsequent automated processing easier. Be mindful of this and never leave a triage collection behind on a compromised system or any other unsecured location.
-
Analyze Triage Collection:
Upon completion, you can either import the collection into a Velociraptor server or use a tool such as Plaso or OpenRelik to process the evidence.
If you wish to customize or build your own version, you can easily fork this repo:
-
Build Script:
Modify and examine the build_collector.sh script to understand how the collector is generated. -
Configuration:
Adjust collection specifics in spec.yaml to suit your needs. -
Continuous Integration: The CI pipeline in .github/workflows/ci.yml orchestrates the build and release process. Builds occur conditionally:
- When a new Velociraptor version is released
- When spec.yaml is modified
- When Windows.Triage.Targets artifact is updated (detected via ETag)
- On manual workflow dispatch
The build script detects artifact and version changes that occur during the build process by tracking version state in data/velociraptor-version.json.
-
Velociraptor Documentation:
More detailed information about offline collectors can be found on the Velociraptor docs. -
Processing Triage Acquisitions:
For inspiration on how to process triage acquisitions generated by this tool, check out OpenRelik. -
Understanding KAPE Targets:
The original KAPE Targets can be found here. The project uses Windows.Triage.Targets artifact. The underlying KAPE targets can be found here. The Windows.Triage.Targets artifact documentation is available at triage.velocidex.com. -
License:
This project is licensed under the MIT License.
If you encounter issues or have suggestions for enhancement, feel free to open a GitHub issue on the repository.
Happy triaging!